Loading
Salesforce now sends email only from verified domains. Read More
Sales Productivity
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Up a Microsoft Exchange Service Account to Communicate with Lightning Sync

            You are here:

            1. Salesforce Help
            2. Docs
            3. Seller Productivity

            Set Up a Microsoft Exchange Service Account to Communicate with Lightning Sync

            To set up Lightning Sync using a service account, create an Exchange service account with impersonation rights for the mailbox of each Lightning Sync user.

            Required Editions

            Available to sync records from: Salesforce Classic, Lightning Experience, and the Salesforce mobile app
            Available to set up from: Salesforce Classic and Lightning Experience
            Available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions with Sales Cloud, Service Cloud, and Lightning Platform
            User Permissions Needed
            To set up a service account to communicate with Lightning Sync: Administrative access to your company’s Exchange server
            Important
            Important

            Starting in Winter ’21, Lightning Sync isn’t available to new Salesforce customers. If you’re on Lightning Sync, use the Lightning Sync migration assistant for a seamless transition to Einstein Activity Capture, our long-term solution for syncing contacts and events between Microsoft® or Google applications and Salesforce.

            In October 2026, Microsoft 365 replaces Exchange Web Service (EWS) with Microsoft Graph API. We recommend taking this opportunity to transition from Lightning Sync to Einstein Activity Capture with Graph API or another supported connection method. See Upgrade Microsoft Office 365 Authentication Method to Microsoft Graph in Einstein Activity Capture.

            Important
            Important Microsoft is retiring Basic Authentication for Exchange Online. When Microsoft blocks Basic Authentication in your Microsoft tenant, Lightning Sync can’t sync contacts and events for customers who have selected service account as their Lightning Sync connection method. See Lightning Sync Service Account Connection Method Availability for Customers on Microsoft Office 365.

            Before setting up an Exchange Service account, make sure you’ve enabled the appropriate Exchange server settings to set up Lightning Sync.

            To set up an Exchange service account, work with your Exchange admin to complete these steps on your Exchange server.

            Watch a Demo:

            Note
            Note For more support, visit Microsoft®’s support website, search for the keywords mentioned here, and follow the instructions intended for your Exchange version.
            1. Create an Exchange user with a mailbox that acts as the service account. You use this email address later to configure Exchange impersonation for the service account.
            2. Using Exchange Management Shell, enter the commands that enable service account impersonation for your version of Exchange. If you receive a pipeline error message, wait a few minutes and reenter the command to let your server process the requests.
              If you’re using Exchange 2019, 2016, or 2013, complete these extra steps.
              1. Enable the Active Directory extended permission for ms-Exch-EPI-Impersonation on all Client Access servers. 
                Get-ExchangeServer | where {$_IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity <EnterExchangeSyncServiceAccountEmailAddress> | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
              2. Enable the Active Directory extended rights for ms-Exch-EPI-May-Impersonate to let your service account impersonate all accounts on your Exchange server. Set a filter later that lets you limit the users the service account syncs with Salesforce. 
                Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User <EnterExchangeSyncServiceAccountAddress> -ExtendedRights ms-Exch-EPI-May-Impersonate}
            3. Using Exchange Management Shell, enter these commands to configure your service account to impersonate the group of users who you want to sync with Lightning Sync.
              1. Create a management scope to define a filter that groups the Exchange users who sync with Lightning Sync. For example, if you want only sales reps to sync, and their Exchange mailboxes have the same value Sales for the filterable property Department, enter Department -eq 'Sales' in place of <ChooseRecipientFilter>. 
                New-ManagementScope -Name:<ChooseExchangeSyncScopeName> -RecipientRestrictionFilter:{<ChooseRecipientFilter>}
              2. Create a management role assignment that restricts the service account to impersonate only the users you defined in the management scope. 
                New-ManagementRoleAssignment -Name:<ChooseExchangeSyncRoleAssignmentName> -Role:ApplicationImpersonation -User:<EnterExchangeSyncServiceAccountAddress> -CustomRecipientWriteScope:<EnterExchangeSyncScopeName>
             
            Loading
            Salesforce Help | Article